Data Protection

See Tickets commits to protecting the data provided by its clients, subscribers, employees and other natural persons.

The purpose of this document is to:
- Establish procedures to regulate the management of these personal data
- To demonstrate the commitment of See Tickets with regards to the protection of personal data
- To limit the risk of data breach
- To comply with the applicable laws and regulations (in particular,the Data Protection Act and the GDPR)

This policy is to be updated at least once per year by Alex Spencer, Senior Project Manager.

1. Definition and principles of data protection

1.1. Definitions

Personal Data

Any information relating to an identified or identifiable natural person, whether directly or indirectly

Any operation or set of operations which is performed, whether or not by automated means, and applied to personal data or sets of personal data (such as collection, recording, storage, modification, consultation, disclosure, reconciliation, erasure or destruction, etc.)

Data controller

The natural or legal person, public authority, service or other organism which, alone or jointly, determines the means and the purposes of processing

Data processor

The natural or legal person, public authority, service or other organism which processes personal data, whether or not they are a third party

Recipient

The natural or legal person, public authority, service or other organism to whom personal data are disclosed, whether or not they are a third party

Third party

A natural or legal person, public authority, service or other organism other than the data subject, data controller, data processor or those authorised to process the personal data

Consent

Any freely given, specific and informed manifestation by which the data subject accepts, by a declaration or by clear positive action, that the personal data be processed

Personal data breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of personal data transmitted, stored or otherwise processed, including unauthorised access to the data

Supervisory authority

An independent public body established by a Member State pursuant to article 51 of the GDPR

1.2. Data protection principles

Fair, lawful and transparent processing

Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.

Purpose limitation principle

Personal data may only be collected for specified, explicit and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes.

Data minimisation

Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which those data are processed.

Accuracy

Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate are either erased or rectified without delay.

Data retention periods

Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

Data Security

Personal data must be processed in a manner that ensures appropriate security of those data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Accountability

The controller is responsible for, and must be able to demonstrate, compliance with the Data Protection Principles.

2. Roles & Responsibilities

Governance of the entity in relation to data protection and responsibility is down to the Data Protection Officer Alex Spencer. He can be contacted for matters on Data Protection via privacy@seetickets.com

3. Compliance tools

Record of data processing activities - See Tickets maintains an up-to-date record of their data processing activities in accordance with article 30 of the GDPR. This record must be made available to the supervisory authority on demand.

PIA - Where a type of processing, in particular the use of emerging technologies, and in view of the nature, scope, and context of the purpose(s) of processing, is apt to cause a heightened risk to the rights and freedoms of natural persons, See Tickets carries out, before processing, an analysis of the expected impact of processing on the personal data. A PIA model has been formalised in Excel format.

4. Third party management

As data controller

For all processing involving third-party data processors, See Tickets implements contracts with the processors including, at the minimum, the requirements stated in article 28 of the GDPR as well as instructions to be followed by the processor, a breach notification clause, an audit clause, a responsibility clause, and provisions which the processor must follow at the end of the contract.

As data processor

Where See Tickets is the processor, it acts only on the predefined instructions of the data controller
- Verify that the instructions do not constitute a violation of the applicable laws and regulations
- Retain a copy of the instructions

If See Tickets recruits a processor, they must implement a binding contract between themselves and the data processor.

See Tickets implements the necessary processes as required by the law and by the applicable regulations, including the record of data processing activities.

Proof of Concept (POC)

The "Proof of Concept" tests are also to be regulated by a legal act, to reinforce at least the instructions and measures to be taken if the POC does not proceed (in particular, the data exchange procedures and data destruction procedures if the POC does not proceed).

5. Rights of data subjects

The data subjects have certain rights concerning their personal data:
- The right of access
- The right of rectification
- The right to erasure (the "right to be forgotten")
- The right to restrict processing
- The right of data portability
- The right to object to processing
- The right not to be evaluated on the basis of automated processing.

See Tickets has implemented a procedure for the management of data subject requests (including the exercise of their rights. This procedure is below:

Step 1: Customer invokes a Subject Access Request

Step 2: See sends the customers an encrypted Zip File on all the data it, it's processors and other controllers associated with See Tickets has on the data subject.

Step 3: If a customer wishes this data to be erased, See, it's processors and other controllers associated with See Tickets will delete the data subjects data.

Step 4: An email confirmation will be sent to confirm this to the Data Subject.

6. Personal Data

6.1. Collection

Underage persons - The legal age of majority relative to the GDPR is fixed at 16 years of age. The regulation makes the provision, however, for each country to lower this age of consent to a minimum of 13 years.

There are special provisions for the processing of personal data relating to minors, notably regarding consent.

Lawful basis - In order to be able to process personal data it is necessary to identify the associated lawful basis for processing. See Tickets can rely on 4 lawful bases:
- Consent of the data subject
- Fulfilment of a contract to which the data subject is party, or the execution of pre-contractual measures
- Compliance with a legal obligation
- Legitimate interest of the data controller
The other two legal bases described in the GDPR are not applicable to See Tickets.

Consent - A specific procedure has been formalised for the management of consent to process a subjects data for marketing purposes. This procedure is in the form of ticking a consent box on the checkout page. Please note that recipients will only ever receive marketing material in email form from See Tickets.

Data minimisation - At the point of data collection, See Tickets collects only the data strictly necessary to meet the purpose(s) of processing. In the event of any change in processing, See Tickets verifies that the data collected are still relevant to the updated process.

6.2. Storage

Media - There are different media used in processing (and therefore different storage locations for the personal data processed). It is essential to identify them all to protect the data correctly and to limit the risk of personal data breaches.

Data confidentiality - The generally applicable rules of confidentiality must also be followed with regards to personal data. The access to personal data must on a ?need to know? basis, combined with application access management. The paper documents containing sensitive personal data must be kept in locked cupboards.

Non-production environments - Whether the data are in the production or pre-production environment, they must be protected in the same way as the risk to the data subjects is the same in the event of a breach, whatever the source. Where possible, it is preferable to avoid storing personal data in pre-production environments; if possible, they should be kept in anonymised databases.

6.3. Communication

Recipients - Any natural or legal person with access to personal data is considered a recipient (whether they are internal or external to the organisation acting as data controller). See Tickets shares personal data only with the recipients necessary to fulfil the stated purpose(s) of processing.

International transfers - Any transfer of personal data which are undergoing or are intended for processing after transfer to a third country or to an international organisation shall take place only if appropriate safeguards are in place, or if other specific exceptions apply. The rules governing data transfers are applicable to internal transfers within Vivendi as well as to external transfers.

6.4. Destruction

Retention period - See Tickets has defined the retention periods for each category of personal data, according to the purposes of processing. See Tickets retains your data for 15 years.

Archiving personal data - Once the data are no longer processed in production, they are archived for the duration of the retention period. The access to these archives is limited, and supplementary security measures are in place to protect the archived data.

7. Security

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity, for the rights and freedoms of natural persons, See Tickets and the processor(s) shall implement appropriate measures to ensure a level of security that is adapted to the risk. There are different categories of security measures that can be taken to protect the personal data:

Physical security measures - There can be physical security measures, such as physical access controls, the use of specific materials, measures against risks connected to water, fire, etc.

Organisational measures - Organisational measures must also be put in place, such as appropriate governance, policies and procedures, a project methodology, monitoring via reports and dashboards, etc.

Logs - It is important to keep logs in order to remain informed of any changes or developments, and to carry out inspections to verify that the security measures in place are working well.

8. Training and Awareness

Training for key individuals - See Tickets has identified the individuals who, in the context of their professional activity, are required to process a large quantity of personal data, or special categories of personal data (as set out in article 9 of the GDPR). These individuals are trained by the DPO.

Awareness for all employees - See Tickets deploys an annual awareness campaign to remind all employees of the rules and principles of personal data protection.

Point of contact - See Tickets has designated a point of contact to answer employees' questions regarding the protection of personal data: Alex Spencer, Data Protection Officer.

9. Controls and incident management

Controls - See Tickets has implemented controls to ensure that regulatory obligations regarding data protection are followed. The controls must be documented, and the results logged.

Notification in the event of a personal data breach - In the event of a personal data breach, See Tickets assesses the risk for the data subjects and, if there is a risk, notifies the competent supervisory authority within 72 hours. If the risk assessment indicates a high risk for the data subjects, See Tickets communicates the breach of personal data to the data subjects. A specific procedure concerning the management of security incidents has been formalised.

Breach monitoring and documentation - See Tickets has implemented a data breach record. In the event of a personal data breach, See Tickets will analyse the source and formalise recommendations to address the risk(s). The recommendations will be followed to limit the risk of a repeat incident.